<div dir="ltr">Hello Hui,<div><br></div><div>you are totally right. I was confused, I didn't have to assemble fragmented IP packets.</div><div><br></div><div>So, I configured the Stream5 preprocessor in order it to take into account the port of my application (it's 9090).<br>

</div><div><br></div><div>I let my AddPreproc() with priority set to PRIORITY_APPLICATION so that it's registered after the Stream5.<br></div><div><br></div><div>Then, I tried to get any packet with (p->flags & FLAG_REBUILT_STREAM), but none of them matched, it seems that the Stream5 preprocessor isn't reassembling my TCP segments.</div>

<div><br></div><div>The SNORT configuration file is set like this:<br></div><div><br></div><div>preprocessor stream5_global: track_tcp yes, \</div><div>    track_udp yes, \</div><div>    track_icmp no, \</div><div>    max_tcp 262144, \</div>

<div>    max_udp 131072, \</div><div>    max_active_responses 2, \</div><div>    min_response_seconds 5</div><div>preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \</div><div>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \</div>

<div>    ports client 21 22, \</div><div>    ports both 9090</div><div>preprocessor stream5_udp: timeout 180</div><div><br></div><div>My app works on port 9090.</div><div><br></div><div>Maybe, the problem is not related to stream5, maybe the problem is originated because the one in charge of doing the segments reassembly is my preprocessor, at the application level, and not the stream5 preprocessor at the TCP level.</div>

<div><br></div><div>More on this, into wireshark I can see all the packets of the protocol TCP segmented, and if I go to preferences-->protocols-->TCP it has an option that says: "allow dissectors to reassemble TCP". It means that the reassemble isn't being done at the TCP layer, but into the proper application.</div>

<div><br></div><div>Do you know if SNORT has something of this? Or the Stream5 should reassemble the payloads of the TCP packets?</div><div><br></div><div>Thanks a lot in advance,</div><div>Emiliano.</div></div><div class="gmail_extra">

<br><br><div class="gmail_quote">2013/12/4 Hui Cao <span dir="ltr"><<a href="mailto:hcao@...402..." target="_blank">hcao@...402...</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Frag3 will deal with IP fragmentation. You might want reassembled
    data from TCP. This means your preprocessor should be after stream
    and you should check<br>
    (SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_STREAM. Snort
    will only reassemble up to the flush point defined (typically 16K).
    You can't expect snort will give all the data from one reassembled
    packet.<br>
    <br>
    Fragmentation from wireshark might mean TCP segmentation. You might
    get full IP packets.<br>
    <br>
    Best,<br>
    Hui. <br><div><div class="h5">
    <div>On 12/04/2013 03:17 PM, Emiliano Fausto
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hui,
        <div><br>
        </div>
        <div>yes, I understood what you told me about filtering just the
          de-fragmented packets, that's why I added these 3 lines:</div>
        <div><br>
        </div>
        <div>SFSnortPacket *p = (SFSnortPacket *)pkt;</div>
        <div>int fla = (p->flags & FLAG_REBUILT_FRAG);</div>
        <div>_dpd.logMsg("Flags set? %d",fla);</div>
        <div><br>
        </div>
        <div>But I generate fragmented packets (which for instance
          Wireshark detects and show as fragmented and the possibility
          of reassembly them) and I'm always getting with each one the
          output: "Flags set? 0".</div>
        <div><br>
        </div>
        <div>I receive all the fragmented packets, but not the last one
          reassembled.</div>
        <div><br>
        </div>
        <div>Regards,</div>
        <div>Emiliano.</div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">2013/12/4 Hui Cao <span dir="ltr"><<a href="mailto:hcao@...402..." target="_blank">hcao@...402...</a>></span><br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It will
            still get all packets including the raw packets. You need to<br>
            use packet flags to filter them.<br>
            <br>
            Best,<br>
            Hui.<br>
            <br>
            On Wed, Dec 4, 2013 at 3:00 PM, Emiliano Fausto<br>
            <div>
              <div><<a href="mailto:emiliano.fausto@...2499..." target="_blank">emiliano.fausto@...2499...</a>>
                wrote:<br>
                > Yes,<br>
                ><br>
                > that's what I thought, but for some reason the TCP
                packets keep on coming<br>
                > fragmented to my preprocessor.<br>
                ><br>
                > No I took off all the preprocessors and just let
                the frag3 and mines, I'll<br>
                > try to figure out if they are called in the correct
                order, but they are not<br>
                > being chained.<br>
                ><br>
                > Thanks,<br>
                > Emiliano.<br>
                ><br>
                ><br>
                > 2013/12/4 Hui Cao <<a href="mailto:hcao@...402..." target="_blank">hcao@...402...</a>><br>
                >><br>
                >> It looks good to me.<br>
                >><br>
                >> Best,<br>
                >> Hui.<br>
                >><br>
                >> On Wed, Dec 4, 2013 at 2:44 PM, Emiliano Fausto<br>
                >> <<a href="mailto:emiliano.fausto@...2499..." target="_blank">emiliano.fausto@...2499...</a>>
                wrote:<br>
                >> > Hi Hui,<br>
                >> ><br>
                >> > I've seen that I was using
                PRIORITY_TRANSPORT, which is lower than the<br>
                >> > PRIORITY_NETWORK that uses frag3.<br>
                >> ><br>
                >> > Anyway, I put the priority: PRIORITY_LAST
                to my own preprocessor, but<br>
                >> > when<br>
                >> > the TCP packets keep arriving fragmented
                to my preprocessor.<br>
                >> ><br>
                >> > Is there anything else I should take into
                account?<br>
                >> ><br>
                >> > Thanks in advance,<br>
                >> > Emiliano.<br>
                >> ><br>
                >> ><br>
                >> > 2013/12/4 Hui Cao <<a href="mailto:hcao@...402..." target="_blank">hcao@...402...</a>><br>
                >> >><br>
                >> >> In sr/preprocids.h<br>
                >> >><br>
                >> >> Best,<br>
                >> >> Hui.<br>
                >> >><br>
                >> >> On 12/04/2013 02:36 PM, Emiliano
                Fausto wrote:<br>
                >> >><br>
                >> >> Great,<br>
                >> >><br>
                >> >> so, the pre-processors are "chained"
                by default, and the order that<br>
                >> >> SNORT<br>
                >> >> follows to call them is set by the
                PRIORITY variable.<br>
                >> >><br>
                >> >> Do you know where's defined this
                PRIORITY variable? Because I saw that<br>
                >> >> the<br>
                >> >> frag3 is being registered with
                PRIORITY_NETWORK, so I'd like to set the<br>
                >> >> priority of my own preprocessor as
                (PRIORITY_NETWORK -1).<br>
                >> >><br>
                >> >> Thanks in advance,<br>
                >> >> Emiliano<br>
                >> >><br>
                >> >><br>
                >> >> 2013/12/4 Hui Cao <<a href="mailto:hcao@...402..." target="_blank">hcao@...402...</a>><br>
                >> >>><br>
                >> >>> sc means snort configuration. We
                use PRIORITY to sort the processing.<br>
                >> >>> All<br>
                >> >>> processors enabled will be called
                and processed based on priority. You<br>
                >> >>> have<br>
                >> >>> to rely on the code to figure out
                what exactly snort does.<br>
                >> >>><br>
                >> >>> The checking is correct. You will
                only process rebuilt packets.<br>
                >> >>><br>
                >> >>> Best,<br>
                >> >>> Hui.<br>
                >> >>> On 12/04/2013 02:19 PM, Emiliano
                Fausto wrote:<br>
                >> >>><br>
                >> >>> Hello Hui,<br>
                >> >>><br>
                >> >>> thanks a lot for your answer.<br>
                >> >>><br>
                >> >>> Right now I have registered my
                preprocessor (let's call it<br>
                >> >>> examplePreprocess as you said,
                because right now I'm using the one<br>
                >> >>> provided<br>
                >> >>> with the DPX) with this line:<br>
                >> >>><br>
                >> >>> _dpd.addPreproc(ExampleProcess,
                PRIORITY_TRANSPORT, 10000,<br>
                >> >>> PROTO_BIT__TCP);<br>
                >> >>><br>
                >> >>> So, the only change is to add
                previous to the parameter<br>
                >> >>> ExampleProcess,<br>
                >> >>> the "sc". What does it mean? Do
                you know if there's any documentation<br>
                >> >>> about<br>
                >> >>> this chaining preprocesses?<br>
                >> >>><br>
                >> >>> So, checking the flags, should be:<br>
                >> >>><br>
                >> >>>
                (SFSnortPacket*)tcppacket)->flags &
                FLAG_REBUILT_FRAG<br>
                >> >>><br>
                >> >>> right?<br>
                >> >>><br>
                >> >>> Thanks again!<br>
                >> >>> Emiliano.<br>
                >> >>><br>
                >> >>><br>
                >> >>><br>
                >> >>> Then, I'll have to register my own
                preprocessor where?<br>
                >> >>><br>
                >> >>><br>
                >> >>> 2013/12/4 Hui Cao <<a href="mailto:hcao@...402..." target="_blank">hcao@...402...</a>><br>
                >> >>>><br>
                >> >>>> Yes, it is possible. You can
                register you preprocessor like this:<br>
                >> >>>><br>
                >> >>>> _dpd.addPreproc( sc,
                ExampleProcess, PRIORITY_TRANSPORT, You_PP_ID,<br>
                >> >>>> PROTO_BIT__IP );<br>
                >> >>>><br>
                >> >>>> Remember check the following
                flag in your ExampleProcess:<br>
                >> >>>><br>
                >> >>>>
                (SFSnortPacket*)ipacketp)->flags &
                FLAG_REBUILT_FRAG<br>
                >> >>>><br>
                >> >>>> Best,<br>
                >> >>>> Hui.<br>
                >> >>>><br>
                >> >>>><br>
                >> >>>> On 12/04/2013 12:52 PM,
                Emiliano Fausto wrote:<br>
                >> >>>><br>
                >> >>>> Hi everybody,<br>
                >> >>>><br>
                >> >>>> I'm creating a new
                preprocessor which needs to have the whole content<br>
                >> >>>> in<br>
                >> >>>> a packet which was fragmented.<br>
                >> >>>><br>
                >> >>>> So I thought of using the
                frag3 preprocessor to re-assembly the<br>
                >> >>>> packets,<br>
                >> >>>> and then, when this reassembly
                is done, sent it to my own<br>
                >> >>>> preprocessor.<br>
                >> >>>><br>
                >> >>>> Do you know if this is
                possible? May I have the output of frag3 being<br>
                >> >>>> the input of my own
                preprocessor?<br>
                >> >>>><br>
                >> >>>> Regards,<br>
                >> >>>> Emiliano.<br>
                >> >>>><br>
                >> >>>><br>
                >> >>>><br>
                >> >>>><br>
                >> >>>>
------------------------------------------------------------------------------<br>
                >> >>>> Sponsored by Intel(R) XDK<br>
                >> >>>> Develop, test and display web
                and hybrid apps with a single code<br>
                >> >>>> base.<br>
                >> >>>> Download it for free now!<br>
                >> >>>><br>
                >> >>>><br>
                >> >>>> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk</a><br>


                >> >>>><br>
                >> >>>><br>
                >> >>>><br>
                >> >>>>
                _______________________________________________<br>
                >> >>>> Snort-devel mailing list<br>
                >> >>>> <a href="mailto:Snort-devel@...2431...ts.sourceforge.net" target="_blank">Snort-devel@lists.sourceforge.net</a><br>
                >> >>>> <a href="https://lists.sourceforge.net/lists/listinfo/snort-devel" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br>
                >> >>>> Archive:<br>
                >> >>>> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br>
                >> >>>><br>
                >> >>>> Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the
                latest news about Snort!<br>
                >> >>>><br>
                >> >>>><br>
                >> >>>><br>
                >> >>>><br>
                >> >>>><br>
                >> >>>>
------------------------------------------------------------------------------<br>
                >> >>>> Sponsored by Intel(R) XDK<br>
                >> >>>> Develop, test and display web
                and hybrid apps with a single code<br>
                >> >>>> base.<br>
                >> >>>> Download it for free now!<br>
                >> >>>><br>
                >> >>>><br>
                >> >>>> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk</a><br>


                >> >>>>
                _______________________________________________<br>
                >> >>>> Snort-devel mailing list<br>
                >> >>>> <a href="mailto:Snort-devel@...2431...ts.sourceforge.net" target="_blank">Snort-devel@lists.sourceforge.net</a><br>
                >> >>>> <a href="https://lists.sourceforge.net/lists/listinfo/snort-devel" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br>
                >> >>>> Archive:<br>
                >> >>>> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br>
                >> >>>><br>
                >> >>>> Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the
                latest news about Snort!<br>
                >> >>><br>
                >> >>><br>
                >> >>><br>
                >> >><br>
                >> >><br>
                >> ><br>
                ><br>
                ><br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>